Monday, May 21, 2012

The Rapid Research Method

The Rapid Research Method:
The Rapid Research Method is a way to speed up your product research.  It’s also a way to speed up ramp up time when you are leaning a new domain.  The Rapid Research Method is also a key for rapid innovation and rapid product design and development.  Lastly, the Rapid Research Method is also a great way to map out a space and perform competitive assessments.
One of the challenges with product development is doing effective research for your product design to make sure you have the right map of the pains and needs, the top concerns, and the key desired outcomes.   Another challenge is actually making this information actionable and simple to share.  
I’ve had the benefit of driving several projects end-to-end, so I’ve been through the research and exploration stage multiple times.  I’ve learned a lot of tricks for speeding up research and making it more effective.   I’ve had to use these techniques to play catch up in various domains from application architecture to security and performance, to even the cloud.   They work.  
I’m going to share a few techniques in this post.  Collectively, I”ll refer to using them as the Rapid Research Method.  It’s the approach I’ve used for many, many projects over many years, and as a way to perform competitive assessments.
What’s important about the techniques is that they make it easy to rapidly organize and share vast amounts of information in an actionable way.   Looking back, one of the big surprises for me is how just about any domain can be broken down into questions and tasks.   If you know the questions that people ask and the tasks they need to perform, you’ve effectively mapped out the most important information within that domain.   This helps you prioritize all the rest of the information, such as concepts, principles, patterns, and practices.    Another way to look at it is that all the information is either going to be action or reference.   For example, a checklist would be actionable, while a whitepaper on a key topic, tends to be conceptual.
Software, like an information product, tends to suffer from information management problems.   It’s tough to share “castles in the mind.”  Then there is the people factor.  Not everybody can slice and dice information the same way, or with the same skill.  The real issue though is sharing “state.”   The problem with research is that it’s like climbing a mountain.  How quickly can you get others to make it up the mountain, after you?   What sort of trail or spikes can you leave along the way?   That’s where these research tools that I’m about to share come into play.   They help you not only get you and your teammates up the mountain faster, but they leave a trail that others can follow.

About the Approach

The approach is fairly easy.  It involves creating simple lists.  The power comes from how you create and share these lists.  It’s actually the information architecture of the research that unleashes the power of your research.  The single best thing you can do with your research is produce output that can easily be used by others, so that you can easily bring in more brains on the problem.  When everybody can see the lay of the land, it’s easier for people to find a faster way forward, get resourceful and solve problems.
Here is the approach in a nutshell:
  1. Gather the Questions.   In this step, simply start gathering the user questions.  Questions are everywhere.  The trick is to capture them and put them down on paper.    My favorite questions are “Why" and “What is XYZ" and “How does XYZ work” or “When do I use XYZ.”
  2. Gather the Tasks.   In this step, simply gather the user tasks.   You can interview users.  You can watch them in action.  You can survey.  You can play and explore the domain yourself.  You can analyze search queries.    What’s important is that you capture the user actions.   This compliments the user questions.  Questions are the “conceptual.”  Tasks are the “actionable.”  When gathering tasks, I find it helpful to write them down individually using the pattern “How To XYZ.”
  3. Identify the Hot Spots.   As you organize your questions list and tasks list into more meaningful buckets, you’ll start to see common categories.   Consolidate the categories as best you can.  This will help you focus and refine your research and funnel what you learn.   These “Hot Spots” will make it a lot easier to slice and dice the domain into actionable nuggets.
  4. Create a Frame.    Use your “Hot Spots” to create a “Frame” for your domain.   One way to do this is to create a simple table of your “Hot Spots” and a description of each “Hot Spot.”   This creates a quick lens for looking at the domain, and puts a focus on the most important categories of information.  When you need to share your research with others, you now have a fast way to show how you broke the information space down and made it more actionable.  Experts will quickly validate or correct your frame.   That’s the beauty of this approach.  You can’t lose.  You are always improving it based on what you learn.  It’s a true learning system.
  5. Gather User Stories.   User stories are a great way to really take things to the next level.  They help to up-level the tasks, build empathy, and really put things in context.  I like to manage these as simple lists, and I use the language, “As a user, I want to …”, or “As a user, I need to …”
I’ve often said that any problem domain can quickly be broken down into questions and tasks and address 80% of what matters.   That little rule of thumb has served me well, time and again.   I never get stuck when I’m figuring out a new domain.  I always go back to the basics.  The real race is to find the fastest way to get the questions and tasks down on paper in a shared way that others can contribute, review, and prioritize.
You can browse the examples below to see what these question lists, task lists, hot spots/frame, and user stories look like.

Key Guidelines to Keep in Mind

  • The value of your solution is the value of the problem solved.   So the better job you do of capturing the right problems, the better chance you have at a successful product or solution.
  • Experience is the short cut.   Find the people with experience.   You can save yourself exponential time, money, and resources by finding the right people who have the experience who can quickly share the questions, tasks, and scenarios that matter within a given domain.
  • Relevancy is king.   The best solutions don’t matter if they aren’t relevant.  You stay relevant by staying connected.  The trick is to stay connected to the key opinion leaders and influencers within a given domain.  You want to know the movers and the shakers as well as the folks that play in the domain on a daily basis.

Hot Spots and Frames

“Hot Spots” are simply the key categories or areas of focus.   They represent the categories that are key choice points.   They are actionable.   They are “Hot Spots” because they are 80% of where the action is.   They are the 20% of the domain that accounts for 80% of the activity.   I use “Hot Spots” as a way to slice a domain down to size and quickly get to what counts.  Each “Hot Spots” represents an area that is either a key opportunity or a key pain point.  The “Hot Spots” are a great way to organize actionable information such as principles, patterns, and practices.  
The Frame is simply a lens for looking at a problem.   It’s what’s in the picture and what’s out.  How you frame a problem domain can either simplify the problem space, or make it more complex.   When you frame the problem space well, it makes it easier to act on it.  It makes it easier to identify opportunities for innovation.  It makes it easier to research the problem space with better focus.  Focus is your friend.
The problem is that you usually don’t know the key areas up front.  Framing out the space is part of the challenge and it’s part of the by-product of your research.   What I’ve found is that when you start to collect questions and tasks, that “Hot Spots” start to emerge.  You will quickly start to see patterns and things will naturally start to cluster.   This collection of “Hot Spots” becomes the backbone for your frame.   Rather than be complete, it’s about being effective.  You can use the 80/20 rule to your advantage here, which is how you both gain speed, but also amplify your impact by focusing on the highest priorities.

Frame Example

This is a simple example of a frame using security Hot Spots.   By using this collection of Hot Spots, it was very easy to collect questions and tasks within the security domain.  It was also easy to walk different technologies and evaluate their security profile.  We also used the frame to quickly gather and organize threats, attacks, vulnerabilities, and countermeasures.   Organizing the information using this frame made it more actionable, and it made it a lot easier to deal with information overload.
Security Frame with Hot Spots
Categories
  • Auditing and Logging
  • Authentication
  • Configuration Management
  • Cryptography
  • Exception Management
  • Input and Data Validation
  • Sensitive Data
  • Session Management

Category Key Considerations
Auditing and Logging Who did what and when? Auditing and logging refer to how your application records security-related events.
Authentication Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization What can you do? Authorization is how your application provides access controls for resources and operations.
Configuration Management Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Cryptography How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Exception Management When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Input and Data Validation How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?
Sensitive Data How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Session Management How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.

Question List Example

A “Question List” is simply a list of the key questions that people ask.   You can find the key questions through surveys, going through forums, looking through blogs, and through hands on experience.  Hands on experience helps you build empathy for what really matters, which will be essential when you are trying to rank, rate, and sort your list.   It also helps to organize your questions into “Hot Spot” areas or buckets.
Architectural Frame Questions List
Contents
  • Authentication and Authorization
  • Caching and State
  • Communication
  • Composition
  • Concurrency and Transactions
  • Configuration Management
  • Coupling and Cohesion
  • Data Access
  • Exception Management
  • Logging and Instrumentation
  • User Experience
  • Validation
  • Workflow
Authentication and Authorization
  • What are the approaches for identity store?
  • What authentication mechanism will be used?
  • What are relevant authentication and authorization patterns?
  • How do I decide if I need to implement single sign-on?
  • How do I design frontend single sign-on?
  • How do I design for backend single sign-on?
  • How to I flow identity to backend?
  • What is impersonation and when should I use it?
  • What is delegation and constrained delegation?
Caching and State
  • How do you refresh your cache?
  • How to design effective caching mechanism?
  • What are common architectural pitfalls with caching?
  • Which layers should implement caching?
  • What data should be cached? (presentation, business and data access layers)
  • How to choose a cache be store?
  • How to cache data with different logical scopes?
  • How to cache data on client side?
  • How to cache user specific data?
  • How to decide whether caching data will improve performance?
  • How to manage expiration policy and scavenging mechanism?
  • How do I protect cached data?
Communication
  • How do I structure my application to optimize communication efficiency?
  • How do I protect my communication channels?
  • How do I choose appropriate communication protocol?
  • How to flow identity across layers (tiers)?
  • What are the common architectural pitfalls with communication?
  • How do I structure my application to optimize communication efficiency?
  • How do I protect my communication channels?
  • How do I choose appropriate communication protocol?
  • How to flow identity across layers (tiers)?
  • What are the common architectural pitfalls with communication?
  • What are effective techniques for communication between the tiers?
  • What are effective techniques for exchanging data between the tiers?
  • How to secure communication between the layers?
  • When should I use synchronous communication?
  • When should I use asynchronous communication?
Concurrency and Transactions
  • What are effective transaction management strategies?
  • How do I determine concurrency requirements?
  • What are the common architectural pitfalls with transactions?
  • What’s the right level of granularity of transactions?
  • How do I manage distributed transactions?
  • What are the common architectural pitfalls with concurrency?
Configuration Management
  • How do I manage per app configuration?
  • How do I manage per user configuration?
  • How do I synchronize configuration across distributed environment (solutions)
  • What are the effective configuration management patterns?
  • What are the common architectural pitfalls with configuration?
Coupling and Cohesion
  • How to determine effective layering strategy?
  • What are effective design patterns for coupling and cohesion?
  • How to determine appropriate coupling between components and between layers?
  • What are the common architectural pitfalls with coupling and cohesion?
Data Access
  • How do we pass data through the layers (tiers)?
  • How to design effective data abstraction layer?
  • How to model the data?
  • How to page records?
  • How to design for very large databases?
  • What are the common architectural pitfalls with data access?
  • What is domain-driven architecture?
  • What is a database-driven architecture?
  • How do I choose between domain-driven and database-driven?
  • Which technology should be used to access data store?
  • How to manage database connections?
  • What logic should be implemented in the data helper components?
  • How to handle transactions?
  • How to handle concurrency?
  • How to design for a multi-tenant database?
  • How to choose between in-line SQL and Stored Procedures?
Exception Management
  • How to design effective exception management strategy?
  • What are effective exception management patterns?
  • What are the common architectural pitfalls with exception management?
  • How to design effective exception management strategy?
  • What are effective exception management patterns?
  • What are the common architectural pitfalls with exception management?
  • Whether to design custom exception handling logic?
  • Which layers should implement exception management?
  • How to deal with unhandled exceptions?
  • How to display exception info to users?
  • How to design logging of exception data?
  • How to propagate exceptions through layers?
Layering
  • How to design effective layering strategy?
  • What are effective design patterns for layering?
  • How to separate layers into areas of concerns?
  • How should layers interact?
  • What are the common architectural pitfalls with layering?
  • How to design effective layering strategy?
  • What are effective design patterns for layering?
  • How to separate layers into areas of concerns?
  • How should layers interact?
  • What are the common architectural pitfalls with layering?
  • How do I migrate my existing architecture to layered architecture, for example monolithic to layered architecture, from 2-tier to layered architecture or 3-tier to layered architecture?
  • How should I structure my development teams i.e. group by layers or group by functional modules?
  • How will my solution and project structure look like when using Layered Architecture?
Logging and Instrumentation
  • How to design effective logging and instrumentation strategy?
  • What are effective logging and instrumentation patterns?
  • What are the common architectural pitfalls with logging and instrumentation?
  • How to design effective logging and instrumentation strategy?
  • What are effective logging and instrumentation patterns?
  • What are the common architectural pitfalls with logging and instrumentation?
  • Which layers should implement logging?
  • When do I need a custom logging mechanism?
  • How to make logging configurable?
  • How to secure of logged data?
State Management
  • How to design effective State Management?
  • What are common architectural pitfalls with state management?
  • Which components should be stateful?
  • Which components should be stateless?
  • Where should I store state?
  • What information should be cached?
  • How to manage state in a web farm?
  • How to protect state data?
Structure
  • What are the effective strategies and patterns for structuring the applications?
  • How do I divide the application into sub-system?
  • How do I factor the applications into layers, components and services?
  • How do I factor the application into tiers?
  • What are the common architectural pitfalls with Structuring?
  • What are the effective strategies and patterns for structuring the applications?
  • How do I divide the application into sub-system?
  • How do I factor the applications into layers, components and services?
  • How do I factor the application into tiers?
  • What are the common architectural pitfalls with Structuring?
Validation
  • Where do you perform validation?
  • What do you validate?
  • How to validate business rules?
  • How to protect against malicious data?
  • How to handle data validation exception?
  • What are the common architectural pitfalls with validations?
  • How to design client side validation?
  • How to determine trust boundary for validation?
Workflow
  • What are the different types of workflows? What are the differences between them?
  • What are common workflow scenarios?
  • What are effective workflow patterns?
  • What are effective the tools for designing workflow?
  • What is workflow modeling and how does it help in system design?
  • What are the common pitfalls with using workflows?
  • What is “workflow persistence”?
  • How does workflow communicate with the system?
  • How design for error recovery in a workflow?
  • How do I manage workflow instances?
  • How do I host workflows?

Task List Example

A “Task List” is simply a list of the tasks that users perform within a domain.   I find it helpful to use the language “How To.”   This forces people to think in terms of goals.  Sometimes it’s helpful to know the goal.  Sometimes it’s more helpful to know the specific tasks.   When you need to up-level it, simply ask “What are you trying to accomplish?”   When you need to drop down a notch, simply ask, “What are you trying to do?”   You can collect tasks from users through interviews, surveys, etc.   Again, I find that hands-on is one of the best ways to really build empathy for the pains and needs.   The real power comes from transforming from the problem side (the pains and needs), to the solution side (the specific goal or task that would address the pain or need.)
Architectural Frame Tasks List
Categories
  • Authentication and Authorization
  • Caching and State
  • Communication
  • Composition
  • Concurrency and Transactions
  • Configuration Management
  • Coupling and Cohesion
  • Data Access
  • Exception Management
  • Logging and Instrumentation
  • User Experience
  • Validation
  • Workflow
Authentication and Authorization
  • How to identify trust boundaries
  • How to design single sign-on strategy
  • How to design role-based authorization
  • How to design resource-based authorization
  • How to design claims-based authorization
  • How to design a trusted sub-system
  • How to flow identity across layers and tiers
Caching
  • How to improve performance with caching
  • How to decide what data to cache
  • How to decide where to cache data
  • How to cache data on client side
  • How to cache user specific data
  • How to manage expiration policy and scavenging mechanism
  • How to protect cached data
  • How to implement thread safety for the cached items using locking
  • How to cache data proactively
  • How to cache data reactively
  • How to design caching for distributed environment
  • How to design caching for web farm scenarios
Communication
  • How to structure an application to optimize communication efficiency
  • How to design for remote communication
  • How to protect communication channels
  • How to choose a communication protocol
  • How to pass data across layers
  • How to flow identity across layers (tiers)
  • How to secure communication between the layers
  • How to design for synchronous communication
  • How to design for asynchronous communication
  • How to design fire and forget (one way) communication
Concurrency and Transactions
  • How to design for transactions
  • How to manage distributed transactions
  • How to design for atomic transactions
  • How to design for long running transactions
  • How to design for distributed transactions
  • How to choose isolation level
Configuration Management
  • How to design configuration
  • How to choose for configuration store
  • How to separate application data from configuration data
  • How to synchronize configuration across distributed environment
  • How to protective sensitive configuration information
  • How to enable changing configuration information at run-time
Coupling and Cohesion
  • How to design for loose coupling across layers
  • How to design for high cohesion within layers
  • How to design message based interfaces
Data Access
  • How to design your data access layer
  • How to design data abstraction
  • How to pass data across layers and tiers
  • How to model your data
  • How to page records
  • How to design for very large databases
  • How to design a domain-driven architecture
  • How to design a database-driven architecture
  • How to manage database connections
  • How to handle transactions
  • How to handle concurrency
  • How to design for a multi-tenant database
Exception Management
  • How to design exception management
  • How to design for unhandled exceptions
  • How to design structured exception handling
  • How to design for appropriate display of exception data
  • How to plan and design for exception logging
  • How to propagate exceptions in a distributed design
  • How to design for notifications
Layering
  • How to design layering
  • How to choose communication options between layers
  • How to design message based interfaces for remove layers
  • How to separate layers into areas of concerns
Logging and Instrumentation
  • How to design logging
  • How to design for instrumentation
  • How to design logging for distributed environment
  • How to design logging for web farm scenario
  • How to configure logging
  • How to secure logged data
State Management
  • How to choose the appropriate state model
  • How to flow call context data across application layers
  • How to design State Management
  • How to store state
  • How to manage state in a web farm
  • How to protect state data
  • How to design for passing data across tiers
Structure
  • How to choose patterns for structuring your application
  • How to factor security requirements when structuring your application
  • How to factor performance and scalability requirements when structuring your application
  • How to factor the applications into layers, components and services
  • How to factor the application into tiers
Validation
  • How to identify trust boundaries
  • How to design a centralized validation solution
  • How to validate input and data against business rules
  • How to validate input and data for security
  • How to validate the integrity of data
  • How to handle data validation exceptions
Workflow
  • How to design workflow
  • How to choose a workflow technology
  • How to choose authoring mode

Summarizing Task Lists

I’ve found it especially helpful to organize massive lists of tasks into simple two-column tables.   This creates a nice view that makes it very easy to prioritize, cut, or elaborate, in a fast and simple way.   You can color code your lists.  You can bubble key things to the top.  You can make whitespace where you need it.  You can group your tasks under sub-items within a row.   The choices are endless, but the two-column tables does make dealing with massive mounds of information a breeze.  The way it compacts and frames information makes scanning very easy, which is important when you are trying to get the “bird’s-eye view.”
Category Items
Authentication and Authorization
Caching Design
  • How to design caching
  • How to improve performance with caching
  • How to manage the lifetime of cached data
  • How to cache data with different logical scopes
  • How to cache data on client side
  • How to cache user specific data
  • How to manage expiration policy and scavenging mechanism
  • How to protect cached data
  • How to identify the data that needs to be cached
  • How to add an item to the cache
  • How to remove an item from the cache
  • How to retrieving an item from the cache
  • How to make data available offline
  • How to cache multiple versions of a Web Page
  • How to set constraints for the items in Cache
  • How to cache frequently used static data
  • How to store user-specific items into cache
  • How to cache groups of related items
  • How to use caching in a multi-server application deployment
  • How to update the cache based on user events
  • How to update the cache based on system events
  • How to monitor cache performance using performance counters
Cache location
  • How to develop a cache location strategy
  • How to cache data in UI components
  • How to cache data in business entities
  • How to cache data in data access components
  • How to cache data in data access helpers
  • How to cache data in service agents
  • How to cache images on the client
  • How to retrieve cached data
Cache store
  • How to develop a cache storage strategy
  • How to use static variables for caching
  • How to use session state to cache per-user session state in ASP.NET applications
  • How to use client side caching for better server performance in Web applications
  • How to use page output caching in ASP.NET applications
  • How to use fragment caching for web pages
  • How to implement client side caching using hidden fields
  • How to implement client side caching using ViewState
  • How to implement client side caching using hidden frames
  • How to implement page fragment caching using Cookies
  • How to implement page fragment caching using Query Strings
  • How to use Internet Explorer caching
Expiration Policy
  • How to choose an appropriate expiration policy
  • How to invalidate the cached data based on relative time periods
  • How to invalidate the cached data based on absolute time periods
  • How to invalidate the cached data based on notification of file
  • changes
  • How to invalidate the cached data based on notification of database
  • changes
  • How to invalidate an item from the cache when another cached item
  • changes
  • How to flush cached data that is obsolete or damaged
  • How to implement a flushing strategy to reduce memory and disk
  • consumption
  • How to notify the application when an item is removed from the cache
Security Considerations
  • How to encrypt cached data to avoid data spoofing.
  • How to sign cached data to avoid tampering
  • How to implement thread safety for the cached items using locking
  • How to implement thread safety for the cached items using cloning
  • How to serialize cached items for use in an application farm
  • How to cache security credentials
  • How to cache configuration information
Validation
  • How to cache data pro-actively
  • How to cache data reactively
  • How to implement asynchronous pull loading
  • How to implement notification-based loading
  • How to implement synchronous pull loading
Communication
  • How to structure an application to optimize communication efficiency
  • How to protect communication channels
  • How to choose a communication protocol
  • How to flow identity across layers (tiers)
  • How to secure communication between the layers
  • How to design for synchronous communication
  • How to design for asynchronous communication
Concurrency and Transactions
  • How to design for transactions
  • How to manage distributed transactions
  • How to design for atomic transactions
  • How to design for long running transactions
  • How to design for distributed transactions
Configuration Management
  • How to design configuration
  • How to separate app data from config data
  • How to synchronize configuration across distributed environment
Coupling and Cohesion
  • How to determine coupling between components and layers
  • How to maintain cohesion between components and layers
Data Access Design
  • How to design your data access layer
  • How to design data abstraction
  • How to pass data across layers and tiers
  • How to model your data
  • How to page records
  • How to design for very large databases
  • How to design a domain-driven architecture
  • How to design a database-driven architecture
  • How to manage database connections
  • How to handle transactions
  • How to handle concurrency
  • How to design for a multi-tenant database
Blob
  • How to handle BLOBs using the DataReader.
  • How to read BLOB data from the database.
  • How to write BLOB data to the database.
Batching
  • How to execute SQL statements in a batch.
  • How to use Data Adapter for batch updates.
Command
  • How to execute simple Inline SQL statements using command object.
  • How to execute SQL statements with parameters.
  • How to retrieve a single item result after executing a command.
  • How to execute data access commands asynchronously.
Connection
  • How to use Windows authentication for data access.
  • How to use SQL authentication for data access.
  • How to create a connection object for a specific Database type.
  • How to protect connection strings stored in configuration files using
DPAPI.
  • How to protect connection strings stored in configuration files using RSA.
  • How to protect connection strings stored on Web farm servers.
  • How to use Connection Pooling to improve command performance.
  • How to monitor connection pooling for SQL Server connections.
  • How to Retrieving Connection string details.
  • How to close database connections.
  • How to open an asynchronous connection.
  • How to use MARS to perform multiple operations on a single database connection.
Data Reader
  • How to use DataReader to retrieve multiple rows.
  • How to use an index or ordinal-based lookup when using DataReader.
  • How to use DataReader for sequential access.
  • How to close the connection when using a DataReader.
DataSet
  • How to populate a DataSet with the results from a stored procedure.
  • How to populate a DataSet with the results from a SQL statement.
  • How to populate a DataSet with multiple result sets.
  • How to update database tables using a modified DataSet.
  • How to perform indexed searching in a DataSet.
  • How to perform repetitive non-primary key searching.
  • How to filter data in a DataSet.
  • How to sort data in a DataSet.
  • How to use the Optimistic Concurrency Model for DataSet.
  • How to use Serialization.
  • How to use Binary Serialization while exchanging a DataSet over the network.
  • How to use XML Serialization while exchanging a DataSet over the network.
  • How to read XML data and populate a DataSet.
Exception Handling
  • How to use structured exception handling in data access.
  • How to log ADO.NET exception details.
  • How to display friendly error messages to normal users.
  • How to show detailed error messages for debugging purposes.
Paging
  • How to implement paging to retrieve user-specific records.
  • How to implement paging to retrieve application-wide records.
Security Considerations
  • How to use a least-privileged database login.
  • How to restrict database access on hosted servers.
  • How to restrict unauthorized callers.
  • How to restrict unauthorized code from accessing data.
  • How to keep sensitive information out of your log files.
Stored Procedures
  • How to pass a parameter to a stored procedure.
  • How to retrieve output parameter values of a stored procedure.
  • How to call a stored procedure using SQL and OLEDB providers.
  • How to Cache Stored Procedure Parameters
Transactions
  • How to set an appropriate isolation level for a transaction.
  • How to execute stored procedures within a transaction.
  • How to use transactions when accessing data on a single data store.
  • How to use transactions when accessing data on multiple data stores
Validation
  • How to validate input parameters used for data access.
  • How to prevent SQL injection when using dynamic SQL.
  • How to validate dynamic SQL using escape routines.
XML
  • How to read XML data returned after executing a SQL command
  • How to retrieve XML data from a DataSet.
  • How to use OpenXML to perform bulk updates and inserts.
  • How to retrieve data from using bulk copy.
Exception Management
  • How to design exception management
  • How to design for unhandled exceptions
  • How to design structured exception handling
  • How to design the appropriate display of exception data
  • How to plan for and design exception logging
  • How to propagate exceptions in a distributed design
  • Handling Exceptions
  • How to catch exceptions of specific type
  • How to use a generic error page for handling exceptions in Web applications
  • How to use catch unhandled exceptions
  • How to create a custom exception class to handle exceptions
  • How to display user-friendly error messages to users and detailed exception information for debugging purposes
Logging Exceptions
  • How to log exceptions in the Windows Event Log
  • How to choose the event sinks for logging events in an application
  • How to create notifications for applications with a monitoring system
  • How to create notifications for applications without a monitoring system
Managing Exceptions
  • How to manage exceptions in your application
  • How to propagate an exception automatically
  • How to catch and rethrow an exception
  • How to replace an exception with another exception
  • How to wrap an exception with a different exception
  • How to notify the user of an exception
  • How to avoid unnecessary exceptions
  • How to manage unhandled exceptions
  • How to design a structured exception handling architecture
  • How to use the finally block to releases the resources
Layering
  • How to design layering
  • How to separate layers into areas of concerns
Logging and Instrumentation
  • How to design logging
  • How to design instrumentation
  • How to configure logging
  • How to secure logged data
Formatting
  • How to format messages to be logged.
  • How to use TemplatedMailWebEventProvider to define and format e-mail messages for event notifications
  • How to use BooleanSwitch to control logging message levels
Log Store
  • How to identify the log store to be used.
  • How to log message to flat file
  • How to log message to XML file
  • How to log message to Database
  • How to use SqlWebEventProvider to log event details to a SQL Server database
  • How to log message to WMI event
  • How to log message to MSMQ
  • How to use EventLogWebEventProvider to log events to the Windows application event log
  • How to use SimpleMailWebEventProvider to send e-mail for event notifications
  • How to log message over network.
  • How to collate log information from different stores
Security Considerations
  • How to sanitize message for sensitive data before logging.
  • How to protect audit and log files.
  • How to protect logging information in database.
  • How to analyze the log files for intrusion.
  • How to backup and archive application logs.
  • How to log details when accessing sensitive application data.
Source
  • How to identify business / application critical events that needs to be logged.
  • How to identify unusual activities that need to be logged.
  • How to log windows authentication failures.
  • How to log Forms authentication failures
  • How to log invalid view state event.
  • How to log unauthorized access to files or folders.
  • How to log unauthorized resource access event.
  • How to log unauthorized actions not allowed by current trust level
  • How to log unauthorized access to pages and paths.
  • How to log application compilation errors.
  • How to log application configuration errors
  • How to log unknown errors.
  • How to log validation errors occurrence.
  • How to log unhandled exception occurrence.
  • How to log windows authentication success.
  • How to log forms authentication success.
  • How to log successful file or folders access.
  • How to log successful pages or paths access.
  • How to log user password reset / changes events.
  • How to log user creation / deletion / modification / lockout events.
  • How to log role assignment events.
  • How to log unhandled exceptions.
  • How to trace an application using logging
  • How to debug application using logging
Tracing
  • How to control application tracing without recompilation
  • How to use TraceSwitch to control logging message levels
  • How to use TextWriterTraceListener to log in a text file
  • How to use EventLogTraceListener to write to an event log
  • How to use ConsoleTraceListener to write to an output or error stream
  • How to use XmlWriterTraceListener to log xml encoded data to a stream
  • How to create a Custom Trace Listener to direct output to a desired destination
  • How to use TraceWebEventProvider to log events as ASP.NET trace messages
  • How to use WmiWebEventProvider to map ASP.NET health monitoring events to Windows Management Instrumentation (WMI) events
State Management
  • How to choose the appropriate state model
  • How to flow call context data across application layers
  • How to design State Management
  • How to store state?
  • How to manage state in a web farm
  • How to protect state data
Structure
  • How to factor the applications into layers, components and services
  • How to factor the application into tiers
Validation
  • How to validate input and data against business rules
  • How to validate input and data for security
  • How to validate the integrity of data.
  • How to handle data validation exceptions
Workflow
  • How to design workflow
  • How to choose a workflow technology

User Stories at a Glance Example

One of the most powerful techniques I use to rapidly gather user requirements is user stories.  I find that capturing user stories with the language, “As a user, I need to” .. or “As a user, I want to …”  really helps add context and clarity, while keeping it amazingly simple.   I also find that organizing the user stories by Hot Spots helps go a long way, especially when you are dealing with a large amount of information.   Below is an example where I was collecting user stories to rapidly figure out the top concerns of business leaders and Enterprise Architects when it comes to cloud computing.
The beauty is that when you capture the user stories well, it is very easy to deal with both timeless stories and timely ones.   In this particular example, even though it’s a few years old, you can see that the top issues that it exposes are alive and well.  One additional point on this example is that I used another information pattern.  I call it the “View More” pattern.   I use it to bubble up the short-list and then push the rest of the list below the “View More …” heading.  It’s highly effective for organizing very large information sets, especially if you alphabetize the list.
User Stories for Cloud Enterprise Strategy
Categories
  • Awareness / Education
  • Architecture
  • Availability
  • Competition
  • Cost
  • Governance and Regulation
  • Industry
  • Integration
  • Operations
  • People
  • Performance
  • Planning
  • Risk
  • Security
  • Service Levels / Quality of Service
  • Solutions
  • Sourcing
  • Strategy
  • Support
Cloud Enterprise Strategy Scenarios Map
Category Items
Awareness / Education
  • As a Business Leader, I want Microsoft to define their perspective on Cloud Computing and provide a holistic view of how their products, technologies and services help me
  • As an Enterprise Architect I want to know how the cloud architecture supports my business goals and enterprise architecture
  • As an IT Leader I want details on training and educating my staff in the use and support for the service

View More…
  • As a Business Leader, I want to understand why I wouldn't go to a proven partner that has a history of doing this for my competition, one that is already providing a similar service as part of our outsourcing agreement
  • As an Enterprise Architect I want to understand how the cloud architecture reduces complexity
  • As an Enterprise Architect, I want a way to see what my peers are doing, to learn and support each other
  • As an Enterprise Architect, I want actionable guidance for prioritization of ground apps to cloud apps. How do I work out the balance for what should go into the cloud?
  • As an Enterprise Architect, I want education on the content myself so that I am well versed in the specific items that apply to my customer
  • As an Enterprise Architect, I want to know the good, bad, and ugly so that I am not misrepresenting this to the customer based on marketing material
  • As an Enterprise Architect, I want to understand why I would even consider moving to the cloud. What we have works, why change?
  • As an Enterprise Strategy Architect, I want to understand the perceptions of customers and assumptions they will have that lead to preconceived ideas – and how do I ‘unlearn’ them to get to a better discussion
  • As an Enterprise Strategy Architect, I want to understand the right sequence of steps to educate a customer on cloud
  • As an IT Leader, I want to know where the complexity is in the cloud. Every new paradigm claims to be simpler but still has to deal with the same operational baggage – where is the complexity in cloud solutions?
  • As an IT Leader, I want to know why I wouldn't just go to a traditional outsourcer
  • As an IT Leader, I want to understand how I manage corporate data that may span multiple cloud scenarios
  • As an IT Leader, I want to understand why I would introduce yet another environment into my services and the associated complexity
Architecture
  • As an Enterprise Architect, I want to see reference architecture for compelling cloud scenarios that will help me build a desired end-state for my specific customer scenario
  • As an Enterprise Architect, I want to see case studies of both success and failure
  • As an Enterprise Strategy Architect, I want to learn about proven Reference Architecture patterns for the cloud.

View More…
  • As an Enterprise Architect, I want to understand Microsoft’s reference models for cloud concepts and terms.
  • As an Enterprise Strategy Architect, I want data movement and management patterns and best practices
  • As an Enterprise Strategy Architect, I want to identify Cloud System Integration Patterns (Cloud-To-Ground, VendorCloud-To-Ground, OurCloud-ToVendorCloud, VendorCloud-to-VendorCloud-to-Ground, etc)
Availability
  • As a Business Leader, I want to understand geographical redundancy
  • As an Enterprise Architect, I want to know how to handle disaster recovery in the cloud
  • As an IT Leader, I want to understand the same details I would expect from my own data center (fault tolerance, back up procedures, disaster recovery etc.)

View More…
  • As a Business Leader, I want to know what happens when the next country decides to block Internet access
  • As an Enterprise Architect, I want to learn how to evaluate cloud services for availability across all regions I need to cover. (What is the performance? What about support in a global environment?)
Competition
  • As a Business Leader, I want to know how Microsoft’s cloud offerings compare to the competition, and especially Amazon Web Service
  • As a Business Leader, I want to understand how cloud offerings can give me a leg up on my competition
  • As an Enterprise Architect, I want a way to know what competitors are saying and how it should be addressed
Cost
  • As a Business Leader, I want to understand the cost structure for cloud solutions
  • As an Enterprise Architect, I want a way to create a realistic cost model based on the current workload
  • As an IT Leader, I want to know if I need to migrate or rewrite my apps and what are the costs associated with this

View More…
  • As a Business Leader, how do I manage the transition period in which I probably have to pay twice?
  • As a Business Leader, I want a consistent cost of service so that I can manage against my budget
  • As a Business Leader, I want to know how to manage cloud service subscriptions across a large enterprise to optimize subscription costs
  • As a Business Leader, I want to know that I am not going to incur a large spike in my costs as part of the migration to the cloud
  • As a Business Leader, I want to know what geographic redundancy does to my bandwidth usage and costs
  • As an Enterprise Architect, I want a way to assist with the customer presentations and planning discussions
  • As an Enterprise Architect, I want a way to identify areas in IT where cost reductions can be had with relatively low risk
  • As an Enterprise Architect, I want the costs to be known and predictable so that I can budget accordingly
  • As an Enterprise Architect, I want to learn how to manage cloud service subscriptions across a large enterprise to optimize subscription costs
  • As an Enterprise Architect, I want to understand how to build the cost model for the customer
  • As an Enterprise Architect, I want understand the taxation impact on Cloud based Transactions (state, Federal, inter-nation)
  • As an IT Leader, I want a clear cost breakdown contrasted against my current costs or if I used my existing environment
  • As an IT Leader, I want to understand how I can implement chargeback within my IT environment to provide more transparency on costs
  • As an IT Leader, I want to understand the cost structure for the cloud solutions
Governance and Regulation
  • As a Business Leader, I want to know how to manage government regulations related to where certain info can be stored. (For large enterprise that have subsidiaries in several countries. A single cloud service may not be able to comply with each countries various regulation needs)
  • As an Enterprise Architect, I want a way to address all regulations and restrictions that may be realized for my customers in all areas they do business
  • As an Enterprise Architect, I want to ensure I am meeting regulatory requirements

View More…
  • As a Business Leader, I want to know how to adhere to the various government regulations related to pricing and information storage
  • As a Business Leader, I want to understand the environmental impact of moving to the cloud. How will this impact my green initiatives?
  • As an Enterprise Architect, I want to learn how to adhere to the various government regulations related to pricing and information storage.
  • As an Enterprise Architect, I want to learn how to manage government regulations related to where certain information can be stored.
  • As an Enterprise Architect, I want to understand the jurisdiction issues with the cloud and how to mitigate them for my region(s)
Industry
  • As an Enterprise Strategy Architect, I want to identify the relevant cloud industry trends for the business.
Integration
  • As a Business Leader, I want to understand how I integrate with my existing systems
  • As an Enterprise Architect, I want to understand how to integrate cloud solutions with my existing processes
  • As an IT Leader, do I need to move all my integrated apps to the cloud or can I do this progressively? What does this mean when apps are integrated (data, web services…)?
Operations
  • As an IT Leader, I want to know how many environments do I need and what are the implications and costs (dev/test/pre-prod/prod)
  • As an IT Leader, I want to know how to integrate cloud reporting into my existing reporting infrastructure
  • As an IT Leader, I want to understand release management requirements to ensure they fit with our current procedures or do not create undue overhead

View More…
  • As an IT Leader, I want to know what the reporting capabilities of the service are. This provides visibility to the business on how the services are performing.
  • As an IT Leader, I want to understand a holistic view on management that spans all cloud scenarios
  • As an IT leader, I want to understand how I model the health of applications that may span private and public clouds or fully deployed in public cloud to ensure I can have better control on service levels.
  • As an IT Leader, I want to understand how I model the health of applications that may span private and public clouds or fully deployed in public cloud to ensure I can have better control on service levels
  • As an IT Leader, what is the flexibility of an organization to decide of when upgrades are appropriate based on their priorities and rhythms and how can I test my environment before upgrading the production environment?
People
  • As a Business Leader, I want to understand how my workforce must evolve to embrace the cloud
  • As a Business Leader, I want to understand how the cloud impacts my user base globally
  • As an Enterprise Architect, I want to know what this means to IT teams (Do I need to get rid of people or repurpose the teams -- which means here up leveling, training)

View More…
  • As a Business Leader, I want to understand how various cloud scenarios impact my workforce levels
  • As an Enterprise Strategy Architect, I want guidance for measuring the impact of moving a system to the cloud (business and IT)
Performance
  • As a Business Leader, I want to understand how my service level management processes need to cater to online service redelivery
  • As an Enterprise Architect, I want to know what are the availability, reliability, and scalability of the cloud (What do the SLAs mean? Do they still hold the same commitments?)
  • As an IT Leader, I want to know that I can make quick patches to address immediate quality of service issues

View More…
  • As an Enterprise Architect, I want the cloud to provide elasticity for my business as it expands and contracts to address seasonal load
  • As an IT Leader, I want to know how to more effectively manage capacity requirements to avoid underutilized infrastructure and leverage online service more effectively
  • As an IT Leader, I want to understand the level of service I can expect for all of my user base
Planning
  • As a Business Leader, I want to understand how I test the solution before deployment
  • As a Customer, I want to know how to work out the balance for what should go into the cloud – I accept it’s not 0% and not 100% - but how do I find the right balance?
  • As an Enterprise Architect, I want to develop some guiding architectural principles to help me build strategy and roadmap around Cloud Computing

View More…
  • As a Business Leader, I want to determine the effort needed to migrate our existing solution. Is this a lift and shift? Is this a rewrite, do we extend?
  • As an Enterprise Architect, I want a way to determine the items in the cloud offerings that are relevant to my customer
  • As an Enterprise Architect, I want my application portfolio management to inject cloud relevant criteria to decide what moves to the cloud and when (if it all)
  • As an Enterprise Architect, I want to ensure we are not impacting the ability to realize change
  • As an Enterprise Architect, I want to know how I can reduce my IT infrastructure burden by bursting capabilities into the cloud when I can’t outsource the whole service to the cloud
  • As an Enterprise Architect, I want to know what maturity levels for what capabilities I need to ensure to better enable leveraging cloud scenarios
  • As an Enterprise Architect, I want to understand how I can treat my physical infrastructure assets as more of a fabric and abstract the complexities of OEM devices
Risk
  • As a Business Leader, I want to know how I can retrieve my IP/Data should I decide to move provider (service lock-in)
  • As an Enterprise Architect, I want to understand the areas of risk that I am accepting by trusting an external data center and service
  • As an IT Leader, I want to know the blockers that lead to implementation failure

View More…
  • As a Business Leader, how comfortable is a European company to host in a datacenter that is in the US?
  • As a Business Leader, I want to know what happens if the service is not reliable. What are my options? Can I easily find another solution and get out of the contract?
  • As a Business Leader, I want to understand the risks of depending on a single partner to run my business
  • As a Business Leader, I want to understand what is involved if we decide to return to our existing service
  • As an Enterprise Architect, I want to be able to test with low risk opportunities if we decide to proceed
  • As an Enterprise Architect, I want to know how to avoid vendor lock in
  • As an Enterprise Architect, I want to understand how to identify low risk opportunities for the cloud
  • As an IT Leader, I want to know the blockers for adoption that cause decision paralysis
  • As an IT Leader, I want to know where the complexity is in cloud based solutions
Security
  • As an Enterprise Architect I want to understand what new security risks exist in the cloud and what old risks have been mitigated
  • As an Enterprise Architect, I want to know how I manage identity across cloud scenarios considering I’ve already invested heavily in my internal IT
  • As an Enterprise Architect, I want to know how to manage privacy and integrity of the data if it’s hosted in the cloud. (How do I restrict access to the data by the hoster, and what do I do about a local copy of the data that is synchronized regularly?)

View More…
  • As an Enterprise Architect, I want to know how to manage accessing cloud services from within the various heterogeneous internal networks
  • As an Enterprise Architect, I want to understand a holistic view on security that spans all cloud scenarios
  • As an Enterprise Architect, my company has invested in a common directory (AD/SSO). How does this work in the cloud?
Service Levels / Quality of Service
  • As a Business Leader I want to understand who is liable in the event of a service failure
  • As a Business Leader I want to understand who is liable in the event of a security breach
  • As an Enterprise Architect, I want to understand what level of technical support is available to myself and my team

View More…
  • As an Business Leader, I want to know if I’ll have to change my SLA with customers
  • As an Enterprise Architect, I want to know how the cloud infrastructure is supported
Solutions
  • As a Business Leader, I want to try before I buy and have access to a proof of concept
  • As an Enterprise Architect, I want access to experts that can do analysis on creating solutions to determine the issues, risks, and costs for migration
  • As an IT Leader, I want to understand the balance for what should go in the cloud; I accept it’s not 0% and not 100%, how do I find the right balance

View More…
  • As an Enterprise Architect, I want a way to assist with the proof of concept
  • As an Enterprise Strategy Architect, I want to know how I can backup our Ground based HPC with the Cloud for on demand scale
  • As an IT Leader, I want my IT strategy to reflect Cloud computing, on-premises and off-premises capabilities
Sourcing
  • As an Enterprise Architect, I want to know how to do partnership management in the cloud. (Managing a partner is hard and when this comes down to the fact that the service can be unavailable it is even more important to do a good job)
  • As an Enterprise Architect, I want to know how to evaluate whether the application or system is considered core to my business and could be sourced to a partner in the cloud (Can the system or application be hosted outside of the intranet?)
  • As an Enterprise Strategy Architect, I want to know how to use the Cloud for our DR plan. (i.e. fail from Ground to Cloud)
Strategy
  • As an Enterprise Architect, I want to understand Microsoft’s strategy for cloud
Support
  • As a business leader, I want to know how we integrate with our existing help desk for escalation
  • As a Business Leader, I want to know if there is a reliable support structure (24x7)
  • As an IT Leader, I want to know what happens if something goes wrong; how fast will I be notified of an issue, how long will it take to be addressed, what priority will I be given contrasted against the other consumers of the service?

View More…
  • As a Business Leader, I want to know what the support implications are in a global environment
  • As an Enterprise Architect, I want to know how to evaluate or enforce a 24x7 support model with the cloud
  • As an Enterprise Architect, I want to know who I call if I am experiencing an issue with the hosted solution

No comments: